- TechOps Examples
- Posts
- How GuardDuty Protects S3 from Malware
How GuardDuty Protects S3 from Malware
Govardhana M K
October 14, 2024
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the top news, tools, videos, and articles in the TechOps industry.
IN TODAY'S EDITION
🧠 Use Case
How GuardDuty Protects S3 from Malware
🚀 Top News
GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks
📽️ Videos
Monolith vs Microservices - Dave Farley - GOTO 2024
Kubernetes LoadBalancer Service for External Access
📚️ Resources
A Beginner's Guide to Using AWS CloudTrail
Git: avoid reset --hard, use reset --keep instead
🛠️ TOOL OF THE DAY
nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.
🧠 USE CASE
How GuardDuty Protects S3 from Malware
Some of you may know, AWS launched Amazon GuardDuty Malware Protection for S3 on 11 Jun 24, and I've noticed increased interest from organizations exploring this option.
And this is how it typically flows:
GuardDuty continuously monitors S3 objects using advanced threat detection.
When malware is detected, GuardDuty tags the files to make them visible for further investigation.
The malware is automatically quarantined to prevent further spread.
EventBridge monitors these malware events.
Upon detection, EventBridge triggers Lambda for automation tasks.
Lambda automates actions like moving infected files to a quarantine bucket, logging the incidents for tracking, and notifying teams for prompt response.
While enabling malware protection in GuardDuty for your S3 buckets:
You can scan all objects in the S3 bucket or
Filter out with a specific prefix.
Make sure the permissions that are required by GuardDuty to scan the buckets are Configured in the IAM role policy.
Find IAM role policy instructions here.
Key Pointers You Should Know:
You can enable Malware Protection for S3 in your account's S3 bucket, but not for member accounts as a delegated admin.
This feature is only available for S3 buckets in the same Region selected in the GuardDuty console; cross-Region buckets aren't supported.
Receive EventBridge notifications for plan status changes in member accounts' buckets.
Detects malicious file uploads in selected S3 buckets.
If GuardDuty is not enabled, you can still enable only Malware Protection for S3.
Scanned objects are tagged with GuardDutyMalwareScanStatus with these values:
NO_THREATS_FOUND | No threats detected |
THREATS_FOUND | Potential threats detected |
UNSUPPORTED | Scanning not supported |
ACCESS_DENIED | Object access restricted |
FAILED | Scanning unsuccessful |
For further exploration:
Hope you find this use case helpful in your learning journey !